Apple iTunes accounts hacked as more rogue developers emerge

It appears that after seven months, Apple is still having difficulty coming to terms with the fact that hackers are targeting iTunes accounts to purchase apps and artificially inflate the revenue received, particularly apps originating from the developer account of “Hongbin Suo”.

Fast-forward to mid-February – We receive a tip from a worried iTunes account holder and Apple’s forums begin to fill up with users complaining of transactions being made on their iTunes accounts that they didn’t authorise. Reports point to apps from the developer account Hongbin Suo, particularly Texas Hold’Em and other Chinese apps which were either paid downloads or made use of Apple’s in-app purchasing.

Each user has a similar story as to what is happening to their iTunes account:

Add me to the list of people who got scammed. Someone took $21.24 for a fraudulent in app purchase for “德州撲克, 560,000 chips, Seller: Hongbin Suo” and “德州撲克, v2.0, Seller: Hongbin Suo”. After googling it, the only app I could find was Boyaa Texas Hold’em from Boyaa Company Limited, which I’ve never downloaded or used. For now, I’ll assume they are an innocent party to this.

My money was from a gift card, so I can’t even dispute it with a credit card company. I sure hope Apple comes through and doesn’t give me a hassle over it.

One thing that seems to connect each of the affected iTunes users is that they have used Gift Cards to add iTunes credit to their account:

This would suggest that the Gift Cards have been compromised in some way, either accounts are being phished after someone has bought a Gift Card via an online auction site like eBay or there is a vulnerability in the way the iTunes Gift Cards are being generated. We are looking into whether this is the case.

Users have taken to Twitter, highlighting the extent of attacks:

Apple has been slow to address the matter, in most cases issuing a standard response to the affected account holders that alerts the user that the Apple support team is looking into the issue and they should hear back in 12-24 hours. Some account holders have received a response and notification of a refund but others report waiting three days without word from Apple – others have reported issues up to 14 days previous and have not had their issues dealt with.

Given that the same apps have been purchased, from the same developer accounts, starting at the latest on February 17, Apple has been aware of the issue for over a week and it still appears users are being targeted to purchase the very same apps, despite reports filed against them.

The affected accounts are typically being charged around $25, ranging up to $50. These aren’t small purchases. The majority of accounts seem to have Gift Cards tied to them, which hopefully means Credit Card information has not been compromised (although some users have reported that their details have been amended).

The nature of the compromise could be out of Apple’s hands, if Gift Cards have been purchased via unofficial resellers, it is possible that accounts have been targeted as a result. Another thing to note is that iTunes accounts are only as secure as the details used to protect them.

The issue here is that compromised accounts are being used to purchase the same apps, debit balances for as much as $50 and continue to do so at the time of writing. It’s not the first time this has happened either.

If you are worried that you might be at risk, here’s what you should do: